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1  Introduction 

Preserving  privacy  means  not  only  hiding  the  content  of  messages,  but  also  hid¬ 
ing  who  is  talking  to  whom  (traffic  analysis).  Much  like  a  physical  envelope, 
the  simple  application  of  cryptography  within  a  packet-switched  network  hides 
the  messages  being  sent,  but  can  reveal  who  is  talking  to  whom,  and  how  often. 
Onion  Routing  is  a  general  purpose  infrastructure  for  private  communication 
over  a  public  network  [8,  9,  4],  It  provides  anonymous  connections  that  are 
strongly  resistant  to  both  eavesdropping  and  traffic  analysis.  The  connections 
are  bidirectional,  near  real-time,  and  can  be  used  for  both  connection-based 
and  connectionless  traffic.  Onion  Routing  interfaces  with  off  the  shelf  soft¬ 
ware  and  systems  through  specialized  proxies,  making  it  easy  to  integrate  into 
existing  systems.  Prototypes  have  been  running  since  July  1997.  As  of  this 
article’s  publication,  the  prototype  network  is  processing  more  than  1  million 
Web  connections  per  month  from  more  than  six  thousand  IP  addresses  in  twenty 
countries  and  in  all  six  main  top  level  domains.  [7] 

Onion  Routing  operates  by  dynamically  building  anonymous  connections 
within  a  network  of  real-time  Chaum  Mixes  [3] .  A  Mix  is  a  store  and  forward 
device  that  accepts  a  number  of  fixed-length  messages  from  numerous  sources, 
performs  cryptographic  transformations  on  the  messages,  and  then  forwards 
the  messages  to  the  next  destination  in  a  random  order.  A  single  Mix  makes 
tracking  of  a  particular  message  either  by  specific  bit-pattern,  size,  or  ordering 
with  respect  to  other  messages  difficult.  By  routing  through  numerous  Mixes  in 
the  network,  determining  who  is  talking  to  whom  becomes  even  more  difficult. 
Onion  Routing’s  network  of  core  onion-routers  (Mixes)  is  distributed,  fault- 
tolerant,  and  under  the  control  of  multiple  administrative  domains,  so  no  single 
onion-router  can  bring  down  the  network  or  compromise  a  user’s  privacy,  and 
cooperation  between  compromised  onion-routers  is  thereby  confounded. 
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2  Application  Support  via  Proxies 

Onion  Routing  can  be  used  with  applications  that  are  proxy- aware,  as  well 
as  several  non-proxy-aware  applications,  without  modification  to  the  applica¬ 
tions.  Currently  supported  protocols  include  HTTP,  FTP,  SMTP,  rlogin,  tel¬ 
net,  NNTP,  finger,  whois,  and  raw  sockets.  Proxies  are  under  development  for 
Socks5,  DNS,  NFS,  IRC,  HTTPS,  SSH,  and  Virtual  Private  Networks  (VPNs). 
A  proxy  has  three  logical  layers:  an  optional  application  specific  privacy  filter 
that  sanitizes  the  data  streams;  an  application  specific  proxy  that  translates 
the  data  streams  into  an  application  independent  format  accepted  by  the  Onion 
Routing  network;  and  lastly,  an  onion  proxy  that  builds  and  manages  the  anony¬ 
mous  connections.  Because  it  builds  and  manages  the  anonymous  connections, 
the  onion  proxy  is  the  most  trusted  component  in  the  system.  Likewise,  to 
build  onions  and  hence  define  routes  the  onion  proxy  must  know  enough  of  the 
topology  and  link  state  of  the  network,  the  public  certificates  of  nodes  in  the 
network,  and  the  exit  policies  of  nodes  in  the  network.  This  information  is  dis¬ 
tributed  securely  within  the  network  automatically  as  new  nodes  come  on-line 
or  as  the  information  changes. 

3  Moving  Data  through  the  Network 

Onion  Routing’s  anonymous  connections  are  protocol  independent  and  exist 
in  three  phases:  connection  setup,  data  movement,  and  connection  tear-down. 
Setup  begins  when  the  initiator  creates  an  onion,  which  defines  the  path  of 
the  connection  through  the  network.  An  onion  is  a  (recursively)  layered  data 
structure  that  specifies  properties  of  the  connection  at  each  point  along  the 
route,  e.g.  cryptographic  control  information  such  as  the  different  symmetric 
cryptographic  algorithms  and  keys  used  during  the  data  movement  phase.  Each 
onion  router  along  the  route  uses  its  public  key  to  decrypt  the  entire  onion  that 
it  receives.  This  operation  exposes  the  cryptographic  control  information,  the 
identity  of  the  next  onion  router,  and  the  embedded  onion.  The  onion  router 
pads  the  embedded  onion  to  maintain  a  fixed  size,  and  sends  it  to  the  next  onion 
router.  After  the  connection  is  established,  data  can  be  sent  in  both  directions. 
Data  from  the  initiator  is  repeatedly  pre-encrypted  using  the  algorithms  and 
keys  that  were  specified  in  the  onion.  As  data  moves  through  the  anonymous 
connection,  each  onion-router  removes  one  layer  of  encryption  as  defined  by  the 
cryptographic  control  information  in  the  onion  defining  the  route,  so  the  data 
arrives  as  plaintext  at  the  recipient.  This  layering  occurs  in  the  reverse  order 
(using  different  algorithms  and  keys)  for  data  moving  backward.  Connection 
tear-down  can  be  initiated  by  either  end,  or  in  the  middle  if  needed. 

All  information  (onions,  data,  and  network  control)  are  sent  through  the 
Onion  Routing  network  in  uniform-sized  cells.  All  cells  arriving  at  an  onion- 
router  within  a  fixed  time  interval  are  mixed  together  to  reduce  correlation  by 
network  insiders.  Likewise,  the  long-standing  connections  between  onion-routers 
can  be  padded  and  bandwidth-limited  to  foil  external  observers.  An  Onion  looks 
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different  to  each  onion-router  along  a  connection  because  of  the  layered  public- 
key  cryptography.  Similarly,  the  layering  of  symmetric  cryptography  over  the 
data  phase  cells  makes  them  appear  different  to  each  onion-router.  This  design 
resists  traffic  analysis  more  effectively  than  any  other  deployed  mechanisms  for 
Internet  communication. 


4  Overhead 

Onion  Routing’s  overhead  is  relatively  small.  Connection  setup  overhead  is 
typically  much  less  than  one  second  and  appears  to  be  no  more  noticeable 
than  other  delays  associated  with  normal  web  connection  setup  on  the  Internet. 
Computationally  expensive  public-key  cryptography  is  used  only  during  this 
connection  setup  phase.  Also,  because  public  key  decryption  is  much  more  ex¬ 
pensive  than  encryption,  the  public  key  burden  is  mainly  placed  upon  the  onion 
routers  themselves,  where  dedicated  hardware  acceleration  can  be  justified.  The 
data  movement  phase  uses  only  secret-key  (symmetric)  cryptography,  which  is 
much  faster.  Furthermore,  since  the  symmetric  encryption  can  be  pipelined, 
data  throughput  can  be  made  as  fast  as  ordinary  link  or  end-to-end  encryption. 
Data  latency  is  affected  by  the  number  of  onion-routers  along  the  connection 
and  can  vary  with  route  length  and  the  duration  of  the  Mix  cycles. 

5  Network  Architectures  that  Shift  Trust 

Proxies,  onion-routers,  and  other  components  can  be  run  in  a  variety  of  dis¬ 
tributed  configurations.  This  allows  Onion  Routing  to  mesh  well  with  a  wide 
variety  of  operational  and  policy  environments.  At  one  extreme,  proxies  can 
run  remotely.  If  a  user  makes  a  secure  connection  (e.g.,  encrytped  or  withing 
a  firewall)  to  a  trusted  remote  proxy,  Onion  Routing’s  protection  can  be  uti¬ 
lized  without  installing  any  software  or  inducing  local  computational  overhead. 
At  the  other  extreme,  all  trusted  components  can  run  locally,  providing  maxi¬ 
mum  protection  of  anonymity  and  privacy  against  non-local  components,  even 
those  participating  in  a  connection.  In  between  these  two  extremes  are  multiple 
configurations  of  proxies  and  onion  routers,  running  on  enclave  firewalls  or  at 
ISPs. 

By  shifting  trust  in  this  way,  Onion  Routing  can  also  complement  other 
services  like  the  Anonymizer  [1]  and  LPWA  [6].  The  Anonymizer  uses  a  central, 
trusted  intermediary  to  provide  sender  anonymity  (i.e.,  hide  the  identity  of  the 
sender  from  the  receiver).  If  Onion  Routing  is  used  for  privacy,  an  Anonymizer 
can  run  as  a  filtering  proxy  on  the  user’s  desktop  (or  the  enclave  firewall,  or  the 
user’s  ISP)  to  add  sender  anonymity.  Security  is  improved  because  the  filtering 
executes  on  a  machine  the  user  trusts,  and  communication  leaving  that  machine 
will  resist  traffic  analysis.  Such  security  in  depth  removes  the  central  point  of 
failure  for  network  traffic  anonymity.  LPWA  provides  various  psuedonymy- 
based  services  (described  elsewhere  in  this  issue).  Like  Onion  Routing  it  is 
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designed  to  handle  email  in  addition  to  HTTP.  And,  like  Onion  Routing,  it  can 
be  configured  so  that  trusted  functions  are  performed  at  various  locations  [2]. 
However,  communication  between  and  from  these  points  is  not  itself  anonymous 
or  resistant  to  traffic  analysis.  This  makes  LPWA  and  Onion  Routing  especially 
natural  complements. 


6  Extensions 

A  natural  extension  to  Onion  Routing  is  the  introduction  of  reply  onions.  Reply 
onions  allow  connections  to  be  made  back  to  an  anonymous  sender  through  the 
Onion  Routing  network  long  after  the  original  connection  existed.  Reply  Onions 
could  be  used  to  send  anonymous  replies  in  response  to  a  previously  received 
anonymous  email.  They  could  also  enable  novel  applications  such  as  anonymous 
publishing  (anonymous  URLs)  similar  to  the  Rewebber  project  [5]. 

7  Conclusion 

In  summary,  Onion  Routing  is  a  traffic  analysis  resistant  infrastructure  that  is 
easily  accessible,  has  low  overhead,  can  protect  a  wide  variety  of  applications, 
and  is  flexible  enough  to  adapt  to  various  network  environments  and  security 
needs.  The  system  is  highly  extensible,  allowing  for  additional  symmetric  cryp¬ 
tographic  algorithms,  proxies,  or  routing  algorithms  with  only  minor  modifica¬ 
tions  to  the  existing  code  base.  Instructions  for  accessing  the  Onion  Routing 
network  can  be  found  on  our  web  page  along  with  additional  background,  point¬ 
ers  to  publications,  and  contact  information  [7]. 
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